update default deny

Signed-off-by: gwg313 <gwg313@pm.me>

forgejo/deployment.yaml

@@ -28,6 +28,13 @@ spec:
           ports:
             - containerPort: 3000
             - containerPort: 2222
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "128Mi"
+            limits:
+              cpu: "1000m"
+              memory: "512Mi"
           env:
             - name: FORGEJO__server__ROOT_URL
               value: "https://git.gwg313.xyz/"

forgejo/network-policy.yaml

@@ -1,13 +1,30 @@
+# ----------------------------------------------------
+# Default deny (namespace baseline)
+# ----------------------------------------------------
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-ingress-to-forgejo
+  name: default-deny
+  namespace: forgejo
+spec:
+  endpointSelector: {}
+  ingress: []
+  egress: []
+
+---
+# ----------------------------------------------------
+# Ingress only from Gateway API
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
   namespace: forgejo
 spec:
-  description: "Accept incoming traffic from the native mesh proxy"
   endpointSelector:
     matchLabels:
       app: forgejo
+
   ingress:
     - fromEntities:
         - ingress
@@ -15,3 +32,103 @@ spec:
         - ports:
             - port: "3000"
               protocol: TCP
+
+---
+# ----------------------------------------------------
+# DNS (cluster DNS only)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns
+  namespace: forgejo
+spec:
+  endpointSelector:
+    matchLabels:
+      app: forgejo
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: ANY
+          rules:
+            dns:
+              - matchPattern: "*"
+
+# ---
+# # ----------------------------------------------------
+# # CI runner access (in-cluster service)
+# # ----------------------------------------------------
+# apiVersion: cilium.io/v2
+# kind: CiliumNetworkPolicy
+# metadata:
+#   name: allow-ci-runner
+#   namespace: forgejo
+# spec:
+#   endpointSelector:
+#     matchLabels:
+#       app: forgejo
+#
+#   egress:
+#     - toEndpoints:
+#         - matchLabels:
+#             app: ci-runner   # adjust to your runner labels
+#       toPorts:
+#         - ports:
+#             - port: "80"
+#               protocol: TCP
+#             - port: "443"
+#               protocol: TCP
+#
+---
+# ----------------------------------------------------
+# External git providers (FQDN restricted)
+# ----------------------------------------------------
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-git-egress
+  namespace: forgejo
+spec:
+  endpointSelector:
+    matchLabels:
+      app: forgejo
+
+  egress:
+    - toFQDNs:
+        - matchName: github.com
+        - matchName: api.github.com
+        - matchName: raw.githubusercontent.com
+      toPorts:
+        - ports:
+            - port: "443"
+              protocol: TCP
+
+---
+# ----------------------------------------------------
+# OPTIONAL: unrestricted egress (disabled by default)
+# Enable ONLY when required for troubleshooting or apps
+# ----------------------------------------------------
+# apiVersion: cilium.io/v2
+# kind: CiliumNetworkPolicy
+# metadata:
+#   name: allow-all-egress
+#   namespace: forgejo
+# spec:
+#   endpointSelector:
+#     matchLabels:
+#       app: forgejo
+#
+#   egress:
+#     - toEntities:
+#         - world
+#       toPorts:
+#         - ports:
+#             - port: "443"
+#               protocol: TCP
+#             - port: "80"
+#               protocol: TCP